As with many new technologies, financial institutions are approaching the use of large language models (LLMs) cautiously. While generative AI has attracted significant attention, current adoption among institutions remains limited and focused on lower risk use cases, particularly where sensitive customer information is not involved. At present, many institutions exploring LLMs are using them primarily to support marketing content, communications, research, and other productivity related activities involving non-sensitive information.

In a smaller number of cases, institutions are beginning to explore LLMs or related AI capabilities in operational areas such as loan processing. Where this is occurring, a pattern has emerged, institutions are generally running AI assisted processes in parallel with existing manual or traditional processes on a limited set of loans to compare outcomes, identify differences, and assess whether risks or biases may be introduced before broader adoption.

Although there is no single piece of financial institution guidance devoted specifically to LLMs, existing regulatory expectations still apply. Financial institutions remain responsible for protecting data, managing risk, and addressing risks associated with new and emerging technologies. This includes evaluating how AI tools are used, whether sensitive or nonpublic customer information could be exposed, and whether third party AI providers introduce additional vendor or concentration risk concerns.

Two useful frameworks for managing AI related risk have emerged, the National Institute of Standards and Technology AI Risk Management Framework (AI RMF) and the Cyber Risk Institute AI Risk Management Framework. While neither is specific to financial institutions, both provide practical approaches for identifying, governing, measuring, and managing AI risks and can help institutions begin structuring oversight in a manner consistent with their size and complexity.

Institutions should also be aware of model risk management expectations, which remains relevant when models are used to support decision making. Recent revisions reinforced that model risk management should be tailored to a bank’s size, complexity, and model risk profile. For smaller institutions, this does not necessarily imply large scale model governance programs, but it does suggest management should understand when AI or model driven tools influence decisions and apply appropriate oversight proportional to risk.

It is also worth recognizing that AI in banking is not entirely new. Many third parties, particularly in areas such as fraud detection, transaction monitoring, and anomaly detection, have used forms of AI and machine learning for over 20 years. What is new is the accessibility of generative AI tools and the need for institutions to define how these newer tools may or may not be used internally.

At a minimum, institutions should have a policy that defines authorized and unauthorized AI usage. This policy should address acceptable use, restrictions on entering sensitive data into AI tools, approval requirements for new use cases, third party due diligence considerations, and management oversight responsibilities. Even where AI use is limited today, establishing boundaries early can help institutions support innovation while remaining aligned with safety and soundness expectations.